Researchers Report Windows Flaws Bypassing Microsoft

• By Kurt Mackie
• 07/07/10

Researchers last week described some issues that possibly affect the security of Windows systems and their components.

The Wintercore blog Tuesday pointed to a memory leak problem associated with the MSHTML.DLL library file used with Internet Explorer 8 on 32-bit and 64-bit versions of Windows XP, Windows Vista, and Windows 7. The blog described the flaw as a zero-day vulnerability that is "not so critical [to fix] but interesting."

No fix is described in the Wintercore blog, and Microsoft hasn't commented on the possible flaw. Apparently, the Wintercore researcher is working outside of Microsoft's "responsible disclosure" (or private reporting) guidelines, which seems to have caused frustration among some researchers.

For instance, a group calling itself the "Microsoft-Spurned Researcher Collective" published a Full Disclosure report on Wednesday about a possible vulnerability in Windows Vista and Windows Server 2008. The report says that the "NtUserCheckAccessForIntegrityLevel" process is affected and it prompted Microsoft to fix a registry key setting. Security firm Secunia also noted the warning, deeming it "less critical" to fix.

The Microsoft-Spurned Researcher Collective uses a name that mocks that of the Microsoft Security Response Center, which also shares the "MSRC" acronym. The collective issued a statement criticizing Microsoft's response to Tavis Ormandy, a security researcher who works for Google. Ormandy publicized a Windows help function flaw just five days after revealing it to Microsoft. The disclosure put "customers at risk," according to Microsoft. However, the collective suggested that it would freely disclose other such flaws in a public manner.

"Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective," the Full Disclosure report stated. "MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

Microsoft issued a security advisory last month about the Windows help flaw, which affects Windows XP-based systems. Later, after the disclosure by Ormandy, Microsoft said that the flaw was being actively exploited. Microsoft then stated in a blog post June 30 that exploit attempts had become more sophisticated and that more than 10,000 attacks had been attempted between June 15 and June 29.

Security firm Symantec noted last week that a sophisticated attack has been discovered that taps into the Windows help flaw. The attack targeted two unnamed defense contractors using bogus e-mails to get users to visit a malicious Web page and download malware.

Those using Microsoft's security solutions have had protection from the Windows XP help flaw since June 10, according to Microsoft's blog. "We'll continue to monitor this situation and provide updates as appropriate," the Microsoft security team stated. Possibly, Microsoft could issue a fix during this month's security update, scheduled for Tuesday, July 13.

Meanwhile, Secunia this week pointed to a buffer overflow problem in the Windows MFC42.DLL library that may be a "moderately critical" security issue. It affects Windows 2000 Professional Service Pack 4 and Windows XP SP2/SP3. A known attack vector for this vulnerability, which can enable remote code execution attacks, is the PowerZip version 7.2 Build 4010 program, according to Secunia.

Microsoft may issue a patch for MFC42.DLL, but it might be the last one issued for these operating systems since support will be expiring. Windows 2000 and Windows XP SP2 will no longer get security updates after July 13, 2010. A Microsoft Twitter post stated that Microsoft is currently investigating the MFC42.DLL matter.

Lastly, Secunia cited security researcher Soroush Dalili's report of a flaw in Microsoft Internet Information Services 5.1 running on Windows XP SP3. Secunia described the vulnerability as "moderately critical" to fix and stated that users can avoid it by not relying on "the basic authentication method [of IIS 5.1] to restrict access to resources."